If an Apache module or a script called from an embedded
module (e.g. mod_perl or mod_php) changes the current
locale, the log file can log month names in the new locale,
confusing log analysers.

<Location> sections inside
<VirtualHost> do not override
<Location> sections in the main server. This is
different to almost all other directives, and means that
virtual hosts cannot override <Location> sections
defined in the main server. Because of partial matching of
the URL, a section like <Location /> in the main
server will override all <Location> sections in the
virtual host.

The scoreboard display from mod_status shows the parent pid
in slots where the child is dead. This can be confusing,
and has been replaced with dash for dead child pid.

Patches to Apache 1.2 bugs will be made available in the 1.2
patches directory on the Apache site. This directory also
includes some minor new features which did not make it into
the 1.2 release. For details of all previously reported bugs,
see the Apache bug
database and Known
Bugs page. Many common configuration questions are
answered in the Apache FAQ.

An update to 1.2 will be released shortly. This is 1.2.1,
which fixes a few relatively minor bugs in 1.2. There are
also some security fixes which are important if you do not
trust all your local content providers. Note that these
security issues cannot be exploited remotely - they are only
relevant if you do not trust all the people who can create
content on your server.

The main bugs fixed in 1.2.1. are:

Some security fixes to ensure that Apache only serves up
the contents of directories, files or symlinks and not (for
example) pipes or named sockets. This could be used by
untrustworthy local users to implement a form of CGI even
if CGI permissions are disabled. Other security fixes
prevent directory indexes from including files outside the
current directory (with HeaderName and
ReadmeName) or from using symlinks in
directory indexes or type-map files if disabled by the
configuration.

Prevent Apache running as user root for security reasons.

Work around problems with third-party libraries which
cannot use high-numbers file descriptors.

Work around problem in Solaris 2 which cannot use streams
with file descriptors about 256.

Better logging of Unix system errors

Fix content-negotiation to use smallest of equally
acceptable variants, or if all else equal, to use the first
listed variant

The July Netcraft Server Survey
shows that over 512,000 sites on the Internet now use Apache.
That is 43% of all sites surveyed. The next most widely used
server, Microsoft's IIS, is used at 186,000 sites, or 17% of
the total.

Although the number of sites running Apache, Microsoft and
Netscape servers increased in absolute numbers, only
Microsoft increased in percentage share (by 0.24%). Apache
went down by 1.21%. However many sites are running Apache
with slightly different server labels (since the source code
is available, sites can change the server label which means
it will not be identified by the survey as Apache). There are
probably lots of sites using Apache under a different name.

For example, there are servers based on Apache with server
labels such as "-Apache", "Apache-SSL-US", "Apache-SSL",
"InfoWest-Custom-Apache", "Apache-NeoWebScript". There are
also Apache servers with labels which do not mention Apache,
such as "RapidSite" which is a customised version of Apache.
In fact, RapidSite runs on 27,860 sites which accounts for
2.3% of the whole survey. When added to the overall totals
for Apache it gives Apache a market share of 44.93%. So the
figures for Apache use and percentage as given in the survey
should be taken as absolute minimums, and the real number of
sites using Apache or Apache-based servers will be higher.

Unless otherwise noted, all the new features discussed here
are planned for Apache 1.3 and not Apache 1.2.1.

Prevent Apache Running as Root

Apache is normally started as root, and each child process
then runs as a different user specified by the
User directive. However it is currently possible
to specify root as the argument to User. This is
potentially very insecure, since any flaw in the server or
CGIs run from the server could give outsiders unlimited
access to the server machine. Since it is a bad idea to
specify User root, Apache 1.2.1 and 1.3 will
both refuse to run as User root (Apache can
still be started by root).

This restriction can be overridden with an explicit
compile-time option on EXTRA_CFLAGS in the
Configuration file.

Accept Lock-File Moved

When Apache runs it creates multiple children who all wait
for a new incoming request. On some systems the children go
straight into a system accept() call, and the OS
decides which one to use for each request. However many
systems do not work properly like this, so Apache implements
its own locking to ensure that only one child is doing an
accept() at any given time. This works by
creating an empty "lock file" and the child in the accept()
call locks this file, while the other children wait for the
lock to be removed. In all previous releases of Apache, the
lock file is located in /var/tmp or
/usr/tmp (depending on the operating system).

In new releases the lock file will be created by default in
the logs directory under the server root (the
same place as the default PID file and logs) and will be
called accept.lock.pid. The location and
filename can be changed with the new LockFile
directive. (This is part of Apache 1.2.1).

Configurable Listen Queue Size

When a new TCP connection arrives for the server the
operating system adds it to a "listen queue". Normally the
size of this queue does not need altering. However there may
be some situations when it is desirable to alter it - for
example, if your server is being targetted by a TCP SYN
denial of service flood. The new directive is called
ListenBacklog and defaults to 511 if not given
(although some OSes will reduce this to a smaller value). See
your system's manual page description of the second argument
to listen() for more details.

Speed Ups

At each phase of handling a request, Apache tries to call a
corresponding function in all modules. Many modules do not
install handlers for most stages, so much of the time the
Apache code is just checking if a callback function is NULL.
A proposed speed-up is to analyse all the callback functions
and build lists of only the non-NULL callback functions for
each module API phase. This results in faster execution of
the callbacks since Apache does not have to iterate over the
NULL entries in the module definitions. Since the code which
checks for callbacks is called very often (once for every
callback in each request) a speed-up here can have a real
effect on overall performance.

The way that Apache handles <Directory> sections can
also be optimized. At the moment it checks every
<Directory> section against all components of the path
of the request resource. An optimisation is to only match
directories against <Directory> sections with the same
number of path components.

API Changes

When spawning children with spawn_child_err() a
module can determine how the child should be killed when the
request is over. If a child is to be killed it is sent a TERM
signal, then three seconds later a KILL. Some child processes
may take longer than three seconds to exit, so a new option
has been added to prevent the sending of the KILL.

Module functions can now return the status DONE
as well as OK, DECLINED or HTTP
error status. DONE indicates that the module function has
finished all processing for this request (i.e. send back a
response) so no more output is needed.

A new defined constant is available,
APACHE_RELEASE_DATE which gives the date that
Apache was released. Modules can use this at compile time to
determine what functionality exists in Apache for this
particular version.

The core Apache code can now use sfio
replacement for stdio. The normal standalone_main() can also
be replaced.

Configuration Syntax Changed

The Configuration option
EXTRA_LFLAGS has been renamed
EXTRA_LDFLAGS in 1.3. This is because "LFLAGS"
can have a special meaning to Unix makefiles (it gives
options for the lex command), but was being used for options
to the linker. The proper name for options to the linker in
LDFLAGS.

In early betas of 1.2 there were problems with large numbers
of connections going into a FIN_WAIT_2 state. If
the operating system did not time out these connects it would
eventually fill the network buffers and cause the machine to
crash. The Apache code was extensively modified to minimise
the number of FIN_WAIT_2 states. However it is still possible
for connections to go into this state due to the action of
the client or the network. This is more likely to happen when
keepalives are being used, so for operating systems without a
FIN_WAIT_2 timeout (such as SunOS 4) it is recommended that
keepalives are turned off with KeepAlive off.

All documents returned from a web server have to have a
"Content Type" (often also called a "mime" type). This is
normally obtained from the file extension, using "mime.types"
file or the AddType directive to map the
extension onto a proper mime type. If there is no valid
extension that Apache knows about, it will use the default
type as specified by DefaultType.

On some sites it might not be possible to give files the
correct extension. In this case the default type will be
used. But in many cases the correct content type could be
guessed at by looking inside the file. A new module,
mod_mime_magic does this. It is based on the standard
Unix program file which identifies the type of a
file based on its contents.